From owner-freebsd-security Sat Sep 30 22:18:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 94FF437B502 for ; Sat, 30 Sep 2000 22:18:45 -0700 (PDT) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id BAA12179; Sun, 1 Oct 2000 01:18:38 -0400 (EDT) (envelope-from wollman) Date: Sun, 1 Oct 2000 01:18:38 -0400 (EDT) From: Garrett Wollman Message-Id: <200010010518.BAA12179@khavrinen.lcs.mit.edu> To: "Jeffrey J. Mountin" Cc: security@FreeBSD.ORG Subject: Re: Security and FreeBSD, my overall perspective In-Reply-To: <4.3.2.20000930160153.00b8bc10@207.227.119.2> References: <20000930122217.A51270@freefall.freebsd.org> <2973.970342843@winston.osd.bsdi.com> <4.3.2.20000930160153.00b8bc10@207.227.119.2> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > While I like this idea to some extent, there should be a disclaimer and/or > be used on ports that have been checked over. Let me re-emphasize this. The mere fact that we are putting some effort into auditing some parts of the software we ship with could potentially create legal liability if any potential security problems are missed by the audit. This is true even despite any disclaimers we or the original authors might make, because the legal `footprint' of such disclaimers varies from place to place [1]. That's why it is important that, as FreeBSD becomes more commercially important, *someone* pay for a general-liability insurance policy which could protect the Project from such suits. It is an unfortunate fact of life that those who exercise editorial discretion (``publishers'') can, by omission as much as by commission, attract more legal scrutiny than mere conduits for information. Of course, it's not just security issues that could cause trouble; intellectual-property issues have been a problem in the past (remember xtetris?) and are likely to rise again. We also have to be concerned (although I've seen no evidence that the security team is anything but) that we make absolutely certain that a program really does have a security problem before reporting it as such; getting an advisory wrong could be cause for a lawsuit. -GAWollman [1] That's why the standard consumer-products warranty boilerplate always says something like, ``This warranty gives you specific legal rights, and you may have others which vary from jurisdiction to jurisdiction.'' I am told that Massachusetts is one of those places. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message